From ce169c0a24e5c222a23780600e5b9bcc83e41cc3 Mon Sep 17 00:00:00 2001 From: Laurence Date: Tue, 23 Sep 2025 15:04:26 +0100 Subject: [PATCH 1/2] Update HAProxy SPOA documentation with new cookie management approach - Add new cookie management section explaining the improved approach - Update HAProxy configuration examples to include http-after-response directives - Add automatic cookie setting/clearing based on captcha_status - Improve documentation for CAPTCHA cookie handling --- .../unversioned/bouncers/haproxy_spoa.mdx | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx b/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx index f8b0ca8e1..0ccdb700a 100644 --- a/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx +++ b/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx @@ -170,6 +170,13 @@ frontend http-in filter spoe engine crowdsec config /etc/haproxy/crowdsec.cfg http-request set-header X-CrowdSec-Remediation %[var(txn.crowdsec.remediation)] http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m found } + + ## Handle captcha cookie management via HAProxy (new approach) + ## Set captcha cookie when SPOA provides captcha_status (pending or valid) + http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_status) -m found } { var(txn.crowdsec.captcha_cookie) -m found } + ## Clear captcha cookie when cookie exists but no captcha_status (Allow decision) + http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_cookie) -m found } !{ var(txn.crowdsec.captcha_status) -m found } + use_backend backend crowdsec-spoa @@ -212,6 +219,23 @@ recaptcha turnstile ``` +#### Cookie Management (New Approach) + +The HAProxy SPOA bouncer now supports improved cookie management for CAPTCHA handling. This new approach uses `http-after-response` directives to manage CAPTCHA cookies more efficiently: + +```haproxy +## Handle captcha cookie management via HAProxy (new approach) +## Set captcha cookie when SPOA provides captcha_status (pending or valid) +http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_status) -m found } { var(txn.crowdsec.captcha_cookie) -m found } +## Clear captcha cookie when cookie exists but no captcha_status (Allow decision) +http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_cookie) -m found } !{ var(txn.crowdsec.captcha_status) -m found } +``` + +This approach provides: +- Automatic cookie setting when CAPTCHA status is pending or valid +- Automatic cookie clearing when the decision is to allow (no CAPTCHA status) +- More reliable cookie management compared to previous methods + ### Prometheus Metrics Enable and expose metrics: @@ -393,6 +417,12 @@ frontend test http-request set-header X-CrowdSec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found } http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m found } + ## Handle captcha cookie management via HAProxy (new approach) + ## Set captcha cookie when SPOA provides captcha_status (pending or valid) + http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_status) -m found } { var(txn.crowdsec.captcha_cookie) -m found } + ## Clear captcha cookie when cookie exists but no captcha_status (Allow decision) + http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_cookie) -m found } !{ var(txn.crowdsec.captcha_status) -m found } + use_backend test_backend ``` From 5c3d5ed4c75ee6fcd60f30591183b983aac3b302 Mon Sep 17 00:00:00 2001 From: Laurence Date: Tue, 23 Sep 2025 15:07:25 +0100 Subject: [PATCH 2/2] Remove dedicated Cookie Management section - Remove the standalone Cookie Management (New Approach) section - Keep cookie management configuration examples in HAProxy config sections --- .../unversioned/bouncers/haproxy_spoa.mdx | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx b/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx index 0ccdb700a..08df47399 100644 --- a/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx +++ b/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx @@ -219,22 +219,6 @@ recaptcha turnstile ``` -#### Cookie Management (New Approach) - -The HAProxy SPOA bouncer now supports improved cookie management for CAPTCHA handling. This new approach uses `http-after-response` directives to manage CAPTCHA cookies more efficiently: - -```haproxy -## Handle captcha cookie management via HAProxy (new approach) -## Set captcha cookie when SPOA provides captcha_status (pending or valid) -http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_status) -m found } { var(txn.crowdsec.captcha_cookie) -m found } -## Clear captcha cookie when cookie exists but no captcha_status (Allow decision) -http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_cookie) -m found } !{ var(txn.crowdsec.captcha_status) -m found } -``` - -This approach provides: -- Automatic cookie setting when CAPTCHA status is pending or valid -- Automatic cookie clearing when the decision is to allow (no CAPTCHA status) -- More reliable cookie management compared to previous methods ### Prometheus Metrics